From patchwork Fri Mar 5 12:16:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447793 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRbm50P5z9sWP for ; Fri, 5 Mar 2021 23:18:44 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 9A9D34ECF7; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2A8vEL5N1vj; Fri, 5 Mar 2021 12:18:40 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTP id 6AA264B7CF; Fri, 5 Mar 2021 12:18:39 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7360EC0016; Fri, 5 Mar 2021 12:18:37 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3E032C0001 for ; Fri, 5 Mar 2021 12:18:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 3A7BB8452E for ; Fri, 5 Mar 2021 12:18:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etK3am5zfWLq for ; Fri, 5 Mar 2021 12:18:35 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id BE3D7844D9 for ; Fri, 5 Mar 2021 12:18:34 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:23 +0100 Message-Id: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 1/9] northd: Amend RBAC rules for Port_Binding table X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When `ovn-controller` claims a virtual lport it will update the Port_Binding table with which chassis currently has claimed the port as well as recording information about the virtual parent lport [0]. When `ovn-controller` claims a lport it will also update the encap field of the Port_Binding table if set and an update is needed. The current RBAC rules does not allow for these updates. 0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150 Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'") Fixes: 6c8b9a132 (" ovn-controller: Store the local port bindings in the runtime data I-P state") Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475 Signed-off-by: Frode Nordahl --- northd/ovn-northd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index ac872aade..bafcb51e9 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -13251,7 +13251,7 @@ static const char *rbac_encap_update[] = static const char *rbac_port_binding_auth[] = {""}; static const char *rbac_port_binding_update[] = - {"chassis", "up"}; + {"chassis", "encap", "up", "virtual_parent"}; static const char *rbac_mac_binding_auth[] = {""}; From patchwork Fri Mar 5 12:16:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447791 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRbm6NGzz9sWQ for ; Fri, 5 Mar 2021 23:18:44 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 9248A6FB8B; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zq62B26wHfM4; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id 73F636FB63; Fri, 5 Mar 2021 12:18:40 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4CCAEC0018; Fri, 5 Mar 2021 12:18:39 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 66094C0011 for ; Fri, 5 Mar 2021 12:18:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4630784531 for ; Fri, 5 Mar 2021 12:18:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6F1mYvyigUqt for ; Fri, 5 Mar 2021 12:18:36 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 0BE598446F for ; Fri, 5 Mar 2021 12:18:35 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:24 +0100 Message-Id: <12c6eac5f0876cd785c72b16c80fbd5d73906f21.1614945892.git.frode.nordahl@canonical.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 2/9] northd: Add missing RBAC rules for FDB table X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The recently added FDB table did not get its RBAC rules which would prohibit a `ovn-controller` from updating it with RBAC enabled. Fixes: 6ec3b1259 ("MAC learning: Add a new FDB table in southbound db") Signed-off-by: Frode Nordahl --- northd/ovn-northd.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index bafcb51e9..bb8f3032c 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -13248,6 +13248,11 @@ static const char *rbac_encap_auth[] = static const char *rbac_encap_update[] = {"type", "options", "ip"}; +static const char *rbac_fdb_auth[] = + {""}; +static const char *rbac_fdb_update[] = + {"dp_key", "mac", "port_key"}; + static const char *rbac_port_binding_auth[] = {""}; static const char *rbac_port_binding_update[] = @@ -13300,6 +13305,14 @@ static struct rbac_perm_cfg { .update = rbac_encap_update, .n_update = ARRAY_SIZE(rbac_encap_update), .row = NULL + },{ + .table = "FDB", + .auth = rbac_fdb_auth, + .n_auth = ARRAY_SIZE(rbac_fdb_auth), + .insdel = true, + .update = rbac_fdb_update, + .n_update = ARRAY_SIZE(rbac_fdb_update), + .row = NULL },{ .table = "Port_Binding", .auth = rbac_port_binding_auth, From patchwork Fri Mar 5 12:16:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447794 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRbr1Vz8z9sWR for ; Fri, 5 Mar 2021 23:18:47 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id E7DDF6FB6F; Fri, 5 Mar 2021 12:18:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WpFGgfaeFsIp; Fri, 5 Mar 2021 12:18:43 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id C42506FB68; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3732DC001B; Fri, 5 Mar 2021 12:18:40 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9B7AAC0018 for ; Fri, 5 Mar 2021 12:18:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 7BD8384537 for ; Fri, 5 Mar 2021 12:18:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khQ06eCROQYE for ; Fri, 5 Mar 2021 12:18:38 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 4821B84532 for ; Fri, 5 Mar 2021 12:18:37 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:25 +0100 Message-Id: <17bcd6fa34d10921e357594fcaf8da4c5a743d61.1614945892.git.frode.nordahl@canonical.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 3/9] northd: Amend Chassis RBAC rules X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The Transport Zones support does currently not work when RBAC is enabled. Fixes: 07d0d258d ("OVN: Add support for Transport Zones") Signed-off-by: Frode Nordahl --- northd/ovn-northd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index bb8f3032c..f85a3dcff 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -13236,7 +13236,7 @@ static const char *rbac_chassis_auth[] = {"name"}; static const char *rbac_chassis_update[] = {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", - "other_config"}; + "other_config", "transport_zones"}; static const char *rbac_chassis_private_auth[] = {"name"}; From patchwork Fri Mar 5 12:16:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447796 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRbx4NKQz9sSC for ; Fri, 5 Mar 2021 23:18:53 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id C6CB86FBA2; Fri, 5 Mar 2021 12:18:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQTSINCbtoO6; Fri, 5 Mar 2021 12:18:46 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id B56446FB94; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0EAA7C0017; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1B609C000B for ; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1FAEB84542 for ; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxvM-jCh4vzz for ; Fri, 5 Mar 2021 12:18:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 7198284536 for ; Fri, 5 Mar 2021 12:18:38 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:26 +0100 Message-Id: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 4/9] northd: Add Controller_Event RBAC rules X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The use of the Controller_Event table does currently not work when RBAC is enabled. Fixes: be1eeb09d ("OVN: introduce Controller_Event table") Signed-off-by: Frode Nordahl --- northd/ovn-northd.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f85a3dcff..c4a3f2383 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -13248,6 +13248,12 @@ static const char *rbac_encap_auth[] = static const char *rbac_encap_update[] = {"type", "options", "ip"}; +static const char *rbac_controller_event_auth[] = + {""}; +static const char *rbac_controller_event_update[] = + {"chassis", "event_info", "event_type", "seq_num"}; + + static const char *rbac_fdb_auth[] = {""}; static const char *rbac_fdb_update[] = @@ -13297,6 +13303,14 @@ static struct rbac_perm_cfg { .update = rbac_chassis_private_update, .n_update = ARRAY_SIZE(rbac_chassis_private_update), .row = NULL + },{ + .table = "Controller_Event", + .auth = rbac_controller_event_auth, + .n_auth = ARRAY_SIZE(rbac_controller_event_auth), + .insdel = true, + .update = rbac_controller_event_update, + .n_update = ARRAY_SIZE(rbac_controller_event_update), + .row = NULL },{ .table = "Encap", .auth = rbac_encap_auth, From patchwork Fri Mar 5 12:16:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447795 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRbt50B4z9sSC for ; Fri, 5 Mar 2021 23:18:50 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 26B2C6FB96; Fri, 5 Mar 2021 12:18:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQJcWA0QHIu4; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id 2134D6FB8D; Fri, 5 Mar 2021 12:18:43 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EF3D4C0011; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1B140C0017 for ; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id E876084546 for ; Fri, 5 Mar 2021 12:18:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEoH3OVAwIdB for ; Fri, 5 Mar 2021 12:18:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 9357584532 for ; Fri, 5 Mar 2021 12:18:39 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:27 +0100 Message-Id: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 5/9] northd-ddlog: Update RBAC rules X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This patch summarizes a series of fixes to the C northd for missing or out of date RBAC rules and updates the DDlog version of Northd accordingly. Signed-off-by: Frode Nordahl --- northd/ovn_northd.dl | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 4482cffc0..8bc6dd9f6 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1257,7 +1257,8 @@ sb::Out_RBAC_Permission ( .authorization = set_singleton("name"), .insert_delete = true, .update = ["nb_cfg", "external_ids", "encaps", - "vtep_logical_switches", "other_config"].to_set() + "vtep_logical_switches", "other_config", + "transport_zones"].to_set() ). sb::Out_RBAC_Permission ( @@ -1281,7 +1282,7 @@ sb::Out_RBAC_Permission ( .table = "Port_Binding", .authorization = set_singleton(""), .insert_delete = false, - .update = ["chassis", "up"].to_set() + .update = ["chassis", "encap", "up", "virtual_parent"].to_set() ). sb::Out_RBAC_Permission ( @@ -1308,6 +1309,23 @@ sb::Out_RBAC_Permission ( .update = ["address", "chassis", "datapath", "ports"].to_set() ). +sb::Out_RBAC_Permission ( + ._uuid = 128'h2e5cbf3d_26f6_4f8a_9926_d6f77f61654f, + .table = "Controller_Event", + .authorization = set_singleton(""), + .insert_delete = true, + .update = ["chassis", "event_info", "event_type", + "seq_num"].to_set() +). + +sb::Out_RBAC_Permission ( + ._uuid = 128'hb70964fc_322f_4ae5_aee4_ff6afadcc126, + .table = "FDB", + .authorization = set_singleton(""), + .insert_delete = true, + .update = ["dp_key", "mac", "port_key"].to_set() +). + /* * RBAC_Role: fixed */ @@ -1317,7 +1335,9 @@ sb::Out_RBAC_Role ( .permissions = [ "Chassis" -> 128'h7df3749a_1754_4a78_afa4_3abf526fe510, "Chassis_Private" -> 128'h07e623f7_137c_4a11_9084_3b3f89cb4a54, + "Controller_Event" -> 128'h2e5cbf3d_26f6_4f8a_9926_d6f77f61654f, "Encap" -> 128'h94bec860_431e_4d95_82e7_3b75d8997241, + "FDB" -> 128'hb70964fc_322f_4ae5_aee4_ff6afadcc126, "Port_Binding" -> 128'hd8ceff1a_2b11_48bd_802f_4a991aa4e908, "MAC_Binding" -> 128'h6ffdc696_8bfb_4d82_b620_a00d39270b2f, "Service_Monitor"-> 128'h39231c7e_4bf1_41d0_ada4_1d8a319c0da3] From patchwork Fri Mar 5 12:16:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447798 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRc03pnYz9sWP for ; Fri, 5 Mar 2021 23:18:56 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id CE04D6FB91; Fri, 5 Mar 2021 12:18:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGXi_I3I4JRv; Fri, 5 Mar 2021 12:18:47 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id 667BF6FB98; Fri, 5 Mar 2021 12:18:46 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9E4BDC0011; Fri, 5 Mar 2021 12:18:45 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 096CBC0017 for ; Fri, 5 Mar 2021 12:18:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4440D84544 for ; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4VgXLnlvZIm for ; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id C176E8454E for ; Fri, 5 Mar 2021 12:18:40 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:28 +0100 Message-Id: <0819add2200970ed04db377922d85eea2b73f94a.1614945892.git.frode.nordahl@canonical.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 6/9] tests: Amend release stale port binding test for RBAC X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The current version of the test attempts to simulate chassis registration prior to starting `ovn-controller`, however it does not set the `hostname` field. The RBAC role for `ovn-controller` does not allow for a chassis to change its own name or hostname, which makes sense as this is used for authentication. Update the test to set the `hostname` field when simulating chassis registration so that `ovn-controller` does not attempt to update it and subsequently make the test fail. Fixes b6b3823d4 ("ovn-controller: Fix I-P for SB Port_Binding and OVS Interface") Signed-off-by: Frode Nordahl Acked-by: Mark Michelson --- tests/ovn.at | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ovn.at b/tests/ovn.at index bec593dcc..ca9623fee 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -21572,7 +21572,7 @@ ovn-nbctl --wait=sb lsp-add ls1 lsp1 # Simulate the fact that lsp1 had been previously bound on hv1. ovn-sbctl --id=@e create encap chassis_name=hv1 ip="192.168.0.1" type="geneve" \ - -- --id=@c create chassis name=hv1 encaps=@e \ + -- --id=@c create chassis hostname=hv1 name=hv1 encaps=@e \ -- set Port_Binding lsp1 chassis=@c as hv1 From patchwork Fri Mar 5 12:16:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447797 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRbz1Vhnz9sSC for ; Fri, 5 Mar 2021 23:18:55 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id BE5344ED29; Fri, 5 Mar 2021 12:18:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0XacEtqMJde; Fri, 5 Mar 2021 12:18:51 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTP id D2DF54ED41; Fri, 5 Mar 2021 12:18:49 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 92704C000B; Fri, 5 Mar 2021 12:18:49 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 29A53C0015 for ; Fri, 5 Mar 2021 12:18:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 6432184574 for ; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d-AfQtaXS0d0 for ; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id F405484560 for ; Fri, 5 Mar 2021 12:18:41 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:29 +0100 Message-Id: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 7/9] tests: Use ovn_start in tests/ovn-controller.at X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The current version of the tests only initializes the SB DB and instruments it directly. This does not work with SSL+RBAC as northd must run to program the RBAC rules into the SB DB. Run tests both for C and ddlog version of northd. Add workaround for ovn-controller not re-reading certificates to 'ovn-controller - Chassis other_config' test. Signed-off-by: Frode Nordahl --- tests/ovn-controller.at | 50 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 6 deletions(-) diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 2cd3e261f..1dd1553cd 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -1,8 +1,9 @@ AT_BANNER([ovn-controller]) +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn-controller - ovn-bridge-mappings]) AT_KEYWORDS([ovn]) -ovn_init_db ovn-sb +ovn_start net_add n1 sim_add hv as hv @@ -54,6 +55,14 @@ check_bridge_mappings () { OVS_WAIT_UNTIL([test x"${local_mappings}" = x$(ovn-sbctl get Chassis ${sysid} other_config:ovn-bridge-mappings | sed -e 's/\"//g')]) } +# NOTE: This test originally ran with only the SB-DB and no northd. For the +# test to be successfull with SSL+RBAC we need to initially run northd to get +# the RBAC rules programmed into the SB-DB. The test instruments the SB-DB +# directly and we need to stop northd to avoid overwriting the instrumentation. +kill `cat northd/ovn-northd.pid` +kill `cat northd-backup/ovn-northd.pid` +kill `cat ovn-nb/ovsdb-server.pid` + # Initially there should be no patch ports. check_patches @@ -116,12 +125,14 @@ as ovn-sb OVS_APP_EXIT_AND_WAIT([ovsdb-server]) AT_CLEANUP +]) # Checks that ovn-controller populates datapath-type and iface-types # correctly in the Chassis other_config column. +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn-controller - Chassis other_config]) AT_KEYWORDS([ovn]) -ovn_init_db ovn-sb +ovn_start net_add n1 sim_add hv @@ -192,7 +203,21 @@ OVS_WAIT_UNTIL([ # chassis_private records. Until that happens ovn-controller fails to # create the records due to constraint violation on the Encap table. sysid=${sysid}-foo -ovs-vsctl set Open_vSwitch . external-ids:system-id="${sysid}" +current_remote=`ovs-vsctl get Open_vSwitch . external-ids:ovn-remote` +if test X$HAVE_OPENSSL = Xyes; then + # To change chassis name we need to change certificate with matching CN + ovs-vsctl set-ssl \ + $PKIDIR/testpki-${sysid}-privkey.pem \ + $PKIDIR/testpki-${sysid}-cert.pem \ + $PKIDIR/testpki-cacert.pem + # force reconnect which makes OVN controller read the new certificates + # TODO implement check for change of certificates in ovn-controller + # and remove this workaround. + ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=unix:/dev/null +fi +ovs-vsctl -- set Open_vSwitch . external-ids:hostname="${sysid}" \ + -- set Open_vSwitch . external-ids:system-id="${sysid}" \ + -- set Open_vSwitch . external-ids:ovn-remote="${current_remote}" OVS_WAIT_UNTIL([ grep -q 'Transaction causes multiple rows in \\"Encap\\" table to have identical values' hv/ovn-controller.log @@ -216,12 +241,14 @@ as ovn-sb OVS_APP_EXIT_AND_WAIT([ovsdb-server]) AT_CLEANUP +]) # Checks that ovn-controller correctly maintains the mapping from the Encap # table in the Southbound database to OVS in the face of changes on both sides +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn-controller - change Encap properties]) AT_KEYWORDS([ovn]) -ovn_init_db ovn-sb +ovn_start net_add n1 sim_add hv @@ -271,11 +298,13 @@ as ovn-sb OVS_APP_EXIT_AND_WAIT([ovsdb-server]) AT_CLEANUP +]) # Check ovn-controller connection status to Southbound database +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn-controller - check sbdb connection]) AT_KEYWORDS([ovn]) -ovn_init_db ovn-sb +ovn_start net_add n1 sim_add hv @@ -305,11 +334,13 @@ as ovn-sb OVS_APP_EXIT_AND_WAIT([ovsdb-server]) AT_CLEANUP +]) # Checks that ovn-controller recreates its chassis record when deleted externally. +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn-controller - Chassis self record]) AT_KEYWORDS([ovn]) -ovn_init_db ovn-sb +ovn_start net_add n1 sim_add hv @@ -360,8 +391,10 @@ OVS_WAIT_UNTIL([test x0 = x`ovn-sbctl --columns nb_cfg --bare find chassis`]) OVN_CLEANUP([hv]) AT_CLEANUP +]) # Test unix command: debug/delay-nb-cfg-report +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn-controller - debug/delay-nb-cfg-report]) AT_KEYWORDS([ovn]) ovn_start @@ -393,7 +426,9 @@ AT_CHECK([ovn-nbctl --timeout=1 --wait=hv sync]) OVN_CLEANUP([hv]) AT_CLEANUP +]) +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn -- nb_cfg sync to OVS]) ovn_start @@ -414,7 +449,9 @@ OVS_WAIT_UNTIL([ovs-vsctl get Bridge br-int external_ids:ovn-nb-cfg], [0], [1]) OVN_CLEANUP([hv1]) AT_CLEANUP +]) +OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn -- features]) AT_KEYWORDS([features]) ovn_start @@ -431,3 +468,4 @@ OVS_WAIT_UNTIL([ OVN_CLEANUP([hv1]) AT_CLEANUP +]) From patchwork Fri Mar 5 12:16:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447799 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRc439STz9sSC for ; Fri, 5 Mar 2021 23:18:59 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 743EA432F6; Fri, 5 Mar 2021 12:18:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JboeVRZf1GJ4; Fri, 5 Mar 2021 12:18:55 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTP id CAD684338D; Fri, 5 Mar 2021 12:18:52 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 99D76C0018; Fri, 5 Mar 2021 12:18:52 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 03F68C0001 for ; Fri, 5 Mar 2021 12:18:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 5130384579 for ; Fri, 5 Mar 2021 12:18:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGa7QdgO4Qfq for ; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 3454084553 for ; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:30 +0100 Message-Id: <20b4b5408c5249437f7efc02a884f4a925ad840e.1614945892.git.frode.nordahl@canonical.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 8/9] tests: Make certificate generation extendable X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" In preparation for enabling testing with SSL and RBAC enabled by default, rework the certificate generation so that we can easily add generation of more certificates/CN on demand. A side erffect of the change is a more generic naming scheme for the certificate files so the patch also contains an update to existing tests so that they use the new filenames. Signed-off-by: Frode Nordahl Acked-by: Mark Michelson --- tests/automake.mk | 48 ++++++++++++++++++++++------------------------- tests/ovn.at | 48 +++++++++++++++++++++++------------------------ 2 files changed, 46 insertions(+), 50 deletions(-) diff --git a/tests/automake.mk b/tests/automake.mk index df6d0a2a9..771dddea2 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage FLAKE8_PYFILES += $(CHECK_PYFILES) if HAVE_OPENSSL -TESTPKI_FILES = \ - tests/testpki-cacert.pem \ - tests/testpki-cert.pem \ - tests/testpki-privkey.pem \ - tests/testpki-req.pem \ - tests/testpki-cert2.pem \ - tests/testpki-privkey2.pem \ - tests/testpki-req2.pem +OVS_PKI_DIR = $(CURDIR)/tests/pki +TESTPKI_CNS = test test2 +TESTPKI_FILES = $(shell \ + for cn in $(TESTPKI_CNS); do \ + echo tests/testpki-$$cn-cert.pem ; \ + echo tests/testpki-$$cn-privkey.pem ; \ + echo tests/testpki-$$cn-req.pem ; \ + done) + +tests/testpki-cacert.pem: tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ + +$(TESTPKI_FILES): tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ + +check_DATA += tests/testpki-cacert.pem check_DATA += $(TESTPKI_FILES) +CLEANFILES += tests/testpki-cacert.pem CLEANFILES += $(TESTPKI_FILES) -tests/testpki-cacert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ -tests/testpki-cert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ -tests/testpki-req.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-req.pem $@ -tests/testpki-privkey.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ -tests/testpki-cert2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ -tests/testpki-req2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ -tests/testpki-privkey2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ - -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log + +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log tests/pki/stamp: $(AM_V_at)rm -f tests/pki/stamp $(AM_V_at)rm -rf tests/pki $(AM_V_GEN)$(OVS_PKI) init && \ - $(OVS_PKI) req+sign tests/pki/test && \ - $(OVS_PKI) req+sign tests/pki/test2 && \ + for cn in $(TESTPKI_CNS); do \ + $(OVS_PKI) req+sign tests/pki/$$cn; \ + done && \ : > tests/pki/stamp CLEANFILES += tests/ovs-pki.log diff --git a/tests/ovn.at b/tests/ovn.at index ca9623fee..5cd8b34d7 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -8810,8 +8810,8 @@ AT_CHECK( start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ --remote=db:OVN_Southbound,SB_Global,connections \ - --private-key="$PKIDIR/testpki-privkey2.pem" \ - --certificate="$PKIDIR/testpki-cert2.pem" \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ --ca-cert="$PKIDIR/testpki-cacert.pem" \ ovn-sb.db @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # read-only accesses should succeed AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) # write access should fail AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ chassis-add ch vxlan 1.2.4.8], [1], [ignore], [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ # Populate SSL configuration entries in nb db AT_CHECK( - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in nb db @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to nb db server AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list NB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore]) @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ # Populate SSL configuration entries in sb db AT_CHECK( - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in sb db @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to sb db server AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore]) From patchwork Fri Mar 5 12:16:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447800 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRc92pgKz9sWL for ; Fri, 5 Mar 2021 23:19:05 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id D27A74EDC3; Fri, 5 Mar 2021 12:19:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REOqS40t5dDa; Fri, 5 Mar 2021 12:19:01 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTP id C66A74ED35; Fri, 5 Mar 2021 12:18:59 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 903ECC000B; Fri, 5 Mar 2021 12:18:59 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0359DC0001 for ; Fri, 5 Mar 2021 12:18:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 300AD84563 for ; Fri, 5 Mar 2021 12:18:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXJxw3-HMVx5 for ; Fri, 5 Mar 2021 12:18:45 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 6011C84568 for ; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:31 +0100 Message-Id: <0451d5b1f7b24419666ca8160c5f0cfd99af117e.1614945892.git.frode.nordahl@canonical.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 9/9] tests: Test with SSL and RBAC for controller by default X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" To help ourself to not forget updating RBAC rules when we land changes to existing functionality and new features we must enable SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds with OpenSSL enabled. Signed-off-by: Frode Nordahl --- tests/automake.mk | 9 +++++++-- tests/ofproto-macros.at | 12 ++++++++++++ tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- tests/ovn-northd.at | 6 +++--- 4 files changed, 58 insertions(+), 7 deletions(-) diff --git a/tests/automake.mk b/tests/automake.mk index 771dddea2..ba8567da4 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -237,7 +237,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) if HAVE_OPENSSL OVS_PKI_DIR = $(CURDIR)/tests/pki -TESTPKI_CNS = test test2 +# NOTE: Certificate generation has to be done serially, and each one adds a few +# seconds to the test run. Please try to re-use one of the many CNs already +# used in the existing tests. +TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 TESTPKI_FILES = $(shell \ for cn in $(TESTPKI_CNS); do \ echo tests/testpki-$$cn-cert.pem ; \ @@ -262,9 +265,11 @@ tests/pki/stamp: $(AM_V_at)rm -f tests/pki/stamp $(AM_V_at)rm -rf tests/pki $(AM_V_GEN)$(OVS_PKI) init && \ + cd tests/pki && \ for cn in $(TESTPKI_CNS); do \ - $(OVS_PKI) req+sign tests/pki/$$cn; \ + $(OVS_PKI) -u req+sign $$cn; \ done && \ + cd ../../ && \ : > tests/pki/stamp CLEANFILES += tests/ovs-pki.log diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index 3d7ac08b3..23d793a95 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -104,6 +104,7 @@ start_daemon () { # # sim_add hv0 # as hv0 ovs-vsctl add-br br0 +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" sims= sim_add () { echo "adding simulator '$1'" @@ -126,6 +127,17 @@ sim_add () { # Start ovs-vswitchd as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl as $1 ovs-appctl vlog/disable-rate-limit vconn + if test X$HAVE_OPENSSL = Xyes; then + if test -f $PKIDIR/testpki-$1-privkey.pem; then + as $1 ovs-vsctl set-ssl \ + $PKIDIR/testpki-$1-privkey.pem \ + $PKIDIR/testpki-$1-cert.pem \ + $PKIDIR/testpki-cacert.pem \ + || return 1 + else + echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" + fi + fi } # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index be8114de2..25f3dbe34 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -124,7 +124,18 @@ ovn_init_db () { mkdir "$d" || return 1 : > "$d"/.$1.db.~lock~ as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema - as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db + + local remote_in_db= + if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then + remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" + fi + + as $as_d start_daemon ovsdb-server \ + -vjsonrpc \ + --remote=punix:"$d"/$1.sock \ + $remote_in_db \ + "$d"/$1.db + local var=`echo $1_db | tr a-z- A-Z_` AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var } @@ -193,6 +204,24 @@ ovn_start () { ovn_start_northd backup $AZ fi + if test X$HAVE_OPENSSL = Xyes; then + # Create the SB DB pssl+RBAC connection. Ideally we could pre-create + # SB_Global and Connection with ovsdb-tool transact at DB creation + # time, but unfortunately that does not work, northd-ddlog will replace + # the SB_Global record on startup. + ovn-sbctl \ + -- --id=@c create connection \ + target=\"pssl:0:127.0.0.1\" role=ovn-controller \ + -- add SB_Global . connections @c + local d=$ovs_base + if test -n "$AZ"; then + d=$d/$AZ + fi + PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) + var="SSL_OVN_SB_DB" + AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var + fi + if test -n "$AZ"; then ovn-nbctl --wait=sb sync || exit $? @@ -257,11 +286,16 @@ ovn_az_attach() { local ovn_remote if test X"$az" = XNONE; then - ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock + if test X$HAVE_OPENSSL = Xyes; then + ovn_remote=$SSL_OVN_SB_DB + else + ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock + fi else ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock fi ovs-vsctl \ + -- set Open_vSwitch . external-ids:hostname=$sandbox \ -- set Open_vSwitch . external-ids:system-id=$sandbox \ -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \ diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index f3f88fa12..979a10b7d 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -746,7 +746,7 @@ check_row_count Datapath_Binding 1 lf=$(count_rows Logical_Flow) # Make nbdb ovsdb-server drop connection from ovn-northd. -conn=$(as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes) +conn=$(as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes|grep ^punix) check as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/remove-remote "$conn" conn2=punix:`pwd`/special.sock check as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/add-remote "$conn2" @@ -781,7 +781,7 @@ check_row_count Datapath_Binding 1 lf=$(count_rows Logical_Flow) # Make sbdb ovsdb-server drop connection from ovn-northd. -conn=$(as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes) +conn=$(as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes|grep ^punix) check as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/remove-remote "$conn" conn2=punix:`pwd`/special.sock check as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/add-remote "$conn2" @@ -2878,4 +2878,4 @@ wait_row_count FDB 0 ovn-sbctl list FDB AT_CLEANUP -]) \ No newline at end of file +])